Comments (36)

Rich Moore

As a direct wholesaler of Uniview products, this is of great concern. Once I read this article, I had my operations manager as well as the tech department run some tests to see if the branded Uniview recorders that we sell were vulnerable. We have not been able to replicate this vulnerability. Can I assume that the only models vulnerable are the OEMs for Samsung?

Create New Topic

Undisclosed Manufacturer #4

If you get a hash, google it, as there are websites containing reverse lookup tables for hashes of common passwords with different hashing algorithms. For instance, googling "e10adc3949ba59abbe56e057f20f883e" from Brian's list above, will give you "123456" (hashed using md5) which is probably the user password.

So it looks like they are just storing md5 hashes of the password. They should be using salted hashes at a minimum.

Create New Topic

Brian Karas

Yes, good point. I debated getting into using rainbow tables to try and just crack the hashes without even messing with POST manipulations but decided to keep it more brief. But if the user has a weak password this creates even more risk/ease of exploit.

Create New Topic

Undisclosed Manufacturer #4

Agreed, it's more a sign of amateurism than part of the actual exploit. It's the reason I use different passwords for every product, website etc unless I really trust the company to store the passwords correctly. Otherwise one account gets hacked and they have your credentials for everything.

Create New Topic

Jay Hobdy

How hard is it to find these back doors? Or if you are a programmer, how hard is it to know this is a flaw? How preventable is this?

Here's the thing. My sub-division has a Facebook page. Once in a while we hear of people waking up and their cars being gone through. When I hear my neighbor Dale got robbed, I make sure I lock my car. When my neighbor Hilda gets robbed, I double down, check all the doors on my car, lock the house, and ensure my cameras are working.

I just can't imagine how a 3rd Chinese company could have these issues.

Create New Topic

Undisclosed Manufacturer #4

Or if you are a programmer, how hard is it to know this is a flaw? How preventable is this?

In my experience, it is partly programmers to blame, and partly management.

At some point a developer needs to study what is required to write secure code, e.g. reading a book such as this one. If they don't they are likely to invent their own solutions, make common mistakes etc. In our industry, any insecure code a developer writes is likely to go straight to the customer i.e. testing departments won't pick it up, that's for sure, it is a specialized type of testing skill that they don't have.

It can take a developer weeks to make a product resistant to hacking during which nothing they do translates into any visible features. So to some managers, it can look like they are not getting any work done during this time. If they want praise, they tend to work on features that sales people, managers, end users can actually see and touch. Likewise, managers are under pressure from sales people, CEOs etc and it is often security that gets lowest priority in favor of features that can be listed as bullet points on marketing brochures.

So if you buy a software product where security is important, you hope it was written by a conscientious developer, or that the company knows about the problem and deals with it at a management level.

Create New Topic

Undisclosed Manufacturer #4

I thought Dahua was horrible, but Uniview passed down to absolutely bottom.

I suspect there's still a lot of others out there. About 1 year ago, I encountered a camera that completely ignored the username and password when connecting via RTSP. I told them about the problem, they denied it, I persisted and they eventually agreed to fix it. They didn't seemed overly concerned about the problem at all.

Create New Topic

bashis mcw

By the way, the findings has been reported back to both the Chinese security researchers and also hanwha security, who reached out to the Chinese security researches on their github. I'm sure they are already aware, but did that just in case they might not been.

Create New Topic

Brian Karas

Some people have commented they were having issues with the PostMan approach, which can be a bit awkward if you are not used to dealing with it. I spent a little time trying some other things, and realized you can do this all from the browser URL bar without anything fancy.

Create New Topic

Brian Karas

What we posted is effectively the same information as what is contained in the publicly available CVE.

The purpose of this report is to allow members who may use, sell, install, or service Uniview equipment to determine if their systems are vulnerable so that they can act appropriately to patch or secure them.

We are certainly not recommending that people use this info for any kind of illicit purposes.

Create New Topic

Undisclosed Distributor #7

I respect your reporting of an important security flaw, but do you really think that it's beneficial and responsible to provide a cut-and-pasteable (sp?) example on how to exploit this? While I'm sure most people here will use this in the manner in which it was intended, what happens when it falls into the wrong hands and people start logging in to units around the world illegally because you provided them the means to do so? While this may be effectively the same information available to the public via CVE, you have taken it to a well-read, semi-public site and simplified it so that anyone can use it within 30 seconds.

Create New Topic

Brian Karas

I understand your concern, however I do not believe we have enabled the kinds of people who would want to use this vulnerability (or others we have similarly covered for other companies) with any knowledge they could not already easily figure out on their own. This is an extremely simple exploit, even in the first example shown. The core concept, passing back expected values in an HTTP POST, is almost as simple as it gets (the only one even less complex was Hikvision's Magic String Backdoor).

The flip side of this is that it has already been shown by some manufacturers that if we do not make it explicitly clear how easy some of these exploits are, how many systems are online, and the capabilities they expose to hackers that they will be spun as less risky than they really are. Or, people look at it and think "that won't happen to me, it takes too much effort to really pull off."

Create New Topic

Brian Karas

Uniview has begun releasing updated firmware for this vulnerability. According to the company, the easiest way to check/upgrade is to use the recorder's built-in cloud upgrade check. From Setup->Maintenance there should be a "Check" button to check for new firmware:

Clicking the "Check" button will cause the recorder to check for updated firmware and provide the option to upgrade:

Member Login

The world's leading video surveillance information source, IPVM provides the best reporting, testing and training for 10,000+ members globally. Dedicated to independent and objective information, we uniquely refuse any and all advertisements, sponsorship and consulting from manufacturers.